CODEWITHSUNDEEP
opensslx509certificate
David Caissy
David Caissy

Reputation: 2229

Openssl x509v3 Extended Key Usage

I know you can specify the purpose for which a certificate public key can be used for by adding a line like this one in the openssl.cfg file:

extendedKeyUsage=serverAuth,clientAuth

But since I have several certificates to create, each with a different extended key usage, is it possible to specify which attribute I need in the command line (without using the openssl.cfg file)? Something like:

openssl req -newkey rsa:4096 \
            -extendedKeyUsage "serverAuth,clientAuth" \
            -keyform PEM \
            -keyout server-key.pem \
            -out server-req.csr \
            -outform PEM

Thanks!

Upvotes: 64

Views: 114948

Answers (6)

sbernard
sbernard

Reputation: 784

With recent version of OpenSSL you can use -addext option to add extended key usage.

For you specific case this should looks like :

openssl req -newkey rsa:4096 \                          
            -addext "extendedKeyUsage = serverAuth, clientAuth" \
            -keyform PEM \
            -keyout server-key.pem \
            -out server-req.csr \
            -outform PEM

You can verify the output with :

openssl req -noout -text  -in server-req.csr

A more common use case is to also set subject and key usage.

With same example :

openssl req -newkey rsa:4096 \
            -subj '/CN=My Name' \
            -addext "keyUsage = digitalSignature,keyAgreement" \
            -addext "extendedKeyUsage = serverAuth, clientAuth" \
            -keyform PEM \
            -keyout server-key.pem \
            -out server-req.csr \
            -outform PEM

Upvotes: 7

KUL
KUL

Reputation: 491

Mike Twc, https://stackoverflow.com/users/7775187/mike-twc absolutely right! Unfortunately, there is not enough reputation to mark his answer as correct and add an extension to his answer, so I write a new answer ... You need to use -addext, but keep in mind that the key->value parameter is here, and all values must be separated by commas.

openssl req -x509 -nodes -newkey rsa:4096 -keyout efs.key -out efs.crt -days 36500 -subj '/CN=EFS/O=Company' -addext 'extendedKeyUsage=1.3.6.1.4.1.311.10.3.4,1.3.6.1.4.1.311.10.3.4.1'

Upvotes: 3

Mike Twc
Mike Twc

Reputation: 2355

You may try addext:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt \
    -subj '/CN=User1' \
    -addext extendedKeyUsage=1.3.6.1.4.1.311.80.1 \
    -addext keyUsage=keyEncipherment

Works on openssl 1.1.1a

Upvotes: 26

fatfatson
fatfatson

Reputation: 885

the same as processing SAN openssl req -subj "/CN=client" -sha256 -new -key client-key.pem -out client.csr\ -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com\nextendedKeyUsage=serverAuth,clientAuth"))

Upvotes: 7

patrikbeno
patrikbeno

Reputation: 1124

You can only use something like this:

openssl -extensions mysection -config myconfig.cnf

and myconfig.cnf:

[mysection]
keyUsage         = digitalSignature
extendedKeyUsage = codeSigning

I am not aware of command line interface to this functionality.

Upvotes: 40

David Caissy
David Caissy

Reputation: 2229

What I ended up doing is creating several different openssl.cfg files and refer to the proper one by using either the -config or the -extfile switch.

Upvotes: 14

Related Questions